Re: kern/52592: npf max-mss corrupts TCP checksum

[Michael van Elst <mlelstv%serpens.de@localhost>]

The following reply was made to PR kern/52592; it has been noted by GNATS.

From: Michael van Elst <mlelstv%serpens.de@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/52592: npf max-mss corrupts TCP checksum
Date: Wed, 4 Oct 2017 16:07:47 +0200

 Analysis:
 
 1. the TCP stack prepares a partial TCP header checksum when a session
    is created.
 2. Packets are then passed with that partial checksum through pfil_run_hooks()
    which calls npf.
 3. Finally the remaining checksum which includes the TCP options is
    calculated or offloaded to hardware.
 
 So, for outgoing packets, the max-mss difference is effectively
 added twice to the checksum, causing the observed problems.
 
 For incoming packets, the checksum handling is done before the packet
 filter sees the packet, and the checksum needs to be always adjusted.
 
 If the packet filter could distinguish between incoming and outgoing
 packets, it could also handle the checksum adjustments accordingly.
 But in npf the packet direction is lost after looking up the
 stateful npf_match_info with npf_conn_pass().
 
 
 I have augmented the npf_match_info structure to record the original
 direction and changed npf_conn_pass to not overwrite that value. This
 fixes the problem, but it's a rather crude patch that needs discussion.
 
 
 
 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv%serpens.de@localhost
                                 "A potential Snark may lurk in every tree."